compeon-access_token 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: faae0c48728f4b0d7eb662200b67810cc8ebd96dc6966e1facf87382250fa224
+  data.tar.gz: a598675a7e638cb3d0dfc40e2f22fecd172699d0ab4c49fffd3a06e95e4ddb54
+SHA512:
+  metadata.gz: cec38a83ded44a217f7c399e24ea8a64de86bb1cbd5d54a65786dbb739d92fc8e5d24e3f8ff29a67bace1f4f71689dcd00a4625abc9d66add6343b3db4fb1306
+  data.tar.gz: c7243383dd55edd5267b21a11b40357c24612411abd2b1a3014f711c52bd7cf605f68adb4d3b7b0959c1b96ed5918f68856327af3967ca959d96f95cbe2eea02

data/.github/main.workflow

@@ -0,0 +1,17 @@
+workflow "CI" {
+  on = "push"
+  resolves = ["CI - All"]
+}
+
+action "CI - All" {
+  uses = "actions/bin/filter@d820d56839906464fb7a57d1b4e1741cf5183efa"
+  needs = [
+    "CI - Test"
+  ]
+}
+
+action "CI - Test" {
+  uses = "docker://lambci/lambda:build-ruby2.5"
+  runs = "bash"
+  args = ["-c", "bundle && bundle exec rake test"]
+}

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.2
+before_install: gem install bundler -v 2.0.1

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in compeon-access_token.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,24 @@
+PATH
+  remote: .
+  specs:
+    compeon-access_token (0.1.0)
+      jwt (~> 2.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    jwt (2.1.0)
+    minitest (5.11.3)
+    rake (10.5.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  compeon-access_token!
+  minitest (~> 5.0)
+  rake (~> 10.0)
+
+BUNDLED WITH
+   2.0.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 COMPEON GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,76 @@
+# Compeon::AccessToken
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'compeon-access_token'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install compeon-access_token
+
+## Usage
+
+Encode a token
+
+```ruby
+token = Compeon::Token::Access.new(
+  client_id: 'compeon-auth',
+  role: 'customer',
+  user_id: '123'
+)
+
+token.aud = 'audience'
+token.iat = Time.now.to_i
+token.exp = Time.now.to_i + 3600 # 1 Expiry time is required and must be in the future.
+token.iss = 'issuer'
+token.sub = 'subject'
+
+token.encode(key: OpenSSL::PKey::RSA.new(private_key_string))
+# => eyJhbGciOiJIUzI1NiIsInR5cC...
+```
+
+Decode a token
+
+```ruby
+token = Compeon::Token::Access.decode(
+  encoded_token: 'eyJhbGciOiJIUzI1NiIsInR5cC...',
+  key: OpenSSL::PKey::RSA.new(private_key_string).public_key
+)
+
+token.client_id # => 'compeon-auth'
+token.role # => 'customer'
+token.user_id # => '123'
+token.aud # => 'audience'
+token.iss # => 'issuer'
+# etc.
+
+```
+
+Decode a token and verify reserved claims
+
+```ruby
+token = Compeon::Token::Access.decode(
+  # The `exp` claim is validated by default and is not needed here
+  claim_verifications: { aud: 'audience', iat: true, iss: 'issuer', sub: 'subject' },
+  encoded_token: 'eyJhbGciOiJIUzI1NiIsInR5cC...',
+  key: OpenSSL::PKey::RSA.new(private_key_string).public_key
+)
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/compeon/compeon-access_token.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task default: :test

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'compeon/access_token'
+require 'compeon/token'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/compeon-accesss_token.gemspec

@@ -0,0 +1,28 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'compeon/access_token/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'compeon-access_token'
+  spec.version       = Compeon::AccessToken::VERSION
+  spec.authors       = ['Timo Schilling']
+  spec.email         = ['timo@schilling.io']
+
+  spec.summary       = "Helper for handling COMPEON AccessToken's"
+  spec.description   = "Helper for handling COMPEON AccessToken's"
+  spec.homepage      = 'https://github.com/COMPEON/compeon-access_token'
+  spec.license       = 'MIT'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'jwt', '~> 2.1'
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'minitest', '~> 5.0'
+  spec.add_development_dependency 'rake', '~> 10.0'
+end

data/lib/compeon/access_token/version.rb

@@ -0,0 +1,5 @@
+module Compeon
+  class AccessToken
+    VERSION = '0.2.0'.freeze
+  end
+end

data/lib/compeon/access_token.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'compeon/access_token/version'
+
+require 'jwt'
+require 'open-uri'
+
+module Compeon
+  class AccessToken
+    class ParseError < RuntimeError; end
+
+    def initialize(role:, user_id:, kind:, client_id:, token:)
+      @role = role
+      @user_id = user_id
+      @kind = kind
+      @client_id = client_id
+      @token = token
+    end
+
+    attr_reader :role, :user_id, :kind, :client_id, :token
+
+    class << self
+      attr_writer :environment
+
+      def environment
+        @environment ||
+          ENV['ENVIRONMENT'] ||
+          raise("`#{self}.environment` or `ENV['ENVIRONMENT']` must be set")
+      end
+
+      def parse(token)
+        data, _header = JWT.decode(token, public_key, false, algorithm: 'RS256')
+
+        role = data.fetch('role')
+        user_id = data.fetch('uid')
+        kind = data.fetch('knd')
+        client_id = data.fetch('cid')
+
+        new(role: role, user_id: user_id, kind: kind, client_id: client_id, token: token)
+      rescue JWT::DecodeError
+        raise ParseError
+      end
+
+      def public_key
+        @public_key ||= OpenSSL::PKey::RSA.new(public_key_string)
+      end
+
+      def public_key_string=(value)
+        @public_key = nil
+        @public_key_string = value
+      end
+
+      def public_key_string
+        @public_key_string ||= begin
+          env_subdomain = environment != 'production' ? ".#{environment}" : nil
+          URI.parse("https://login#{env_subdomain}.compeon.de/public-key").read
+        end
+      end
+    end
+  end
+end

data/lib/compeon/token/access.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Compeon
+  module Token
+    class Access < Base
+      class << self
+        def attributes_mapping
+          {
+            client_id: :cid,
+            role: :role,
+            user_id: :uid
+          }.freeze
+        end
+
+        def jwt_algorithm
+          'RS256'
+        end
+
+        def kind
+          'access'
+        end
+      end
+
+      attr_accessor :client_id, :role, :user_id
+
+      def initialize(client_id:, role:, user_id:, **claims)
+        super(claims)
+        @client_id = client_id
+        @role = role
+        @user_id = user_id
+      end
+    end
+  end
+end

data/lib/compeon/token/base.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Compeon
+  module Token
+    class Base
+      attr_accessor :audience, :expires_at, :issued_at, :issuer, :not_before, :subject
+
+      class << self
+        def attributes
+          @attributes ||= attributes_mapping.keys.freeze
+        end
+
+        def registered_claims_mapping
+          {
+            audience: :aud,
+            expires_at: :exp,
+            issued_at: :iat,
+            issuer: :iss,
+            not_before: :nbf,
+            subject: :sub
+          }.freeze
+        end
+
+        def decode(claim_verifications: {}, encoded_token:, key:)
+          Compeon::Token::Decoder.new(
+            claim_verifications: claim_verifications,
+            encoded_token: encoded_token,
+            key: key,
+            token_klass: self
+          ).decode
+        end
+      end
+
+      def initialize(audience: nil, expires_at: nil, issued_at: nil, issuer: nil, not_before: nil, subject: nil)
+        @audience = audience
+        @expires_at = expires_at
+        @issued_at = issued_at
+        @issuer = issuer
+        @not_before = not_before
+        @subject = subject
+      end
+
+      def encode(key:)
+        Compeon::Token::Encoder.new(
+          key: key,
+          token: self
+        ).encode
+      end
+
+      def registered_claims
+        self
+          .class
+          .registered_claims_mapping
+          .invert
+          .transform_values { |claim| public_send(claim) }
+          .compact
+      end
+
+      def valid?
+        expires_at_valid? && attributes_valid?
+      end
+
+      def expires_at_valid?
+        !expires_at.nil? && expires_at > Time.now.to_i
+      end
+
+      def attributes_valid?
+        self.class.attributes.none? { |accessor| public_send(accessor).nil? }
+      end
+    end
+  end
+end

data/lib/compeon/token/decoder.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module Compeon
+  module Token
+    class DecodeError < StandardError; end
+
+    class Decoder
+      def initialize(claim_verifications: {}, encoded_token:, key:, token_klass:)
+        @claim_verifications = claim_verifications
+        @encoded_token = encoded_token
+        @key = key
+        @token_klass = token_klass
+      end
+
+      def decode
+        raise DecodeError if decoded_token[:knd] != token_klass.kind
+
+        attributes = decoded_token_attributes
+        attributes.delete(:knd)
+
+        token_klass.new(attributes)
+      end
+
+      private
+
+      attr_reader :claim_verifications, :encoded_token, :key, :token_klass
+
+      def decoded_token
+        @decoded_token ||= JWT.decode(
+          encoded_token,
+          key,
+          true,
+          algorithm: token_klass.jwt_algorithm,
+          **compiled_claim_verifications
+        )[0].transform_keys(&:to_sym)
+      rescue JWT::DecodeError
+        raise DecodeError
+      end
+
+      def decoded_token_attributes
+        attributes_mapping = token_klass.attributes_mapping
+        registered_claims_mapping = token_klass.registered_claims_mapping
+
+        decoded_token.transform_keys do |attribute|
+          attributes_mapping.key(attribute) ||
+            registered_claims_mapping.key(attribute) ||
+            attribute
+        end
+      end
+
+      def compiled_claim_verifications
+        {}.tap do |verifications|
+          %i[aud iss sub].each do |claim|
+            next unless claim_verifications[claim]
+
+            verifications[claim] = claim_verifications[claim]
+            verifications[:"verify_#{claim}"] = true
+          end
+
+          verifications[:verify_iat] = true if claim_verifications[:iat]
+        end
+      end
+    end
+  end
+end

data/lib/compeon/token/encoder.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module Compeon
+  module Token
+    class EncodeError < StandardError; end
+
+    class Encoder
+      def initialize(key:, token:)
+        @token = token
+        @key = key
+
+        raise 'No key given.' if @key.nil?
+        raise 'Token is invalid.' unless @token.valid?
+      end
+
+      def encode
+        JWT.encode(
+          {
+            **attributes,
+            **token.registered_claims,
+            knd: token.class.kind
+          },
+          key,
+          token.class.jwt_algorithm
+        )
+      rescue JWT::EncodeError
+        raise EncodeError
+      end
+
+      private
+
+      attr_reader :token, :key
+
+      def attributes
+        token
+          .class
+          .attributes_mapping
+          .invert
+          .transform_values { |attribute| token.public_send(attribute) }
+      end
+    end
+  end
+end

data/lib/compeon/token.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'compeon/token/base'
+require 'compeon/token/access'
+require 'compeon/token/decoder'
+require 'compeon/token/encoder'
+
+module Compeon
+  module Token
+  end
+end

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: compeon-access_token
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Timo Schilling
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-09-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Helper for handling COMPEON AccessToken's
+email:
+- timo@schilling.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/main.workflow"
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- compeon-accesss_token.gemspec
+- lib/compeon/access_token.rb
+- lib/compeon/access_token/version.rb
+- lib/compeon/token.rb
+- lib/compeon/token/access.rb
+- lib/compeon/token/base.rb
+- lib/compeon/token/decoder.rb
+- lib/compeon/token/encoder.rb
+homepage: https://github.com/COMPEON/compeon-access_token
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Helper for handling COMPEON AccessToken's
+test_files: []